diff --git a/group_vars/sane.yml b/group_vars/sane.yml
new file mode 100644
index 0000000..a6636ac
--- /dev/null
+++ b/group_vars/sane.yml
@@ -0,0 +1,5 @@
+---
+firewall_in:
+  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
diff --git a/host_vars/sane02.home.foo.sh.yml b/host_vars/sane02.home.foo.sh.yml
new file mode 100644
index 0000000..2c0bdad
--- /dev/null
+++ b/host_vars/sane02.home.foo.sh.yml
@@ -0,0 +1,8 @@
+---
+vmhost: vmhost02.home.foo.sh
+network_interfaces:
+  - device: eth0
+    vlan: 20
+    mac: "52:54:00:ac:dc:88"
+virt_install_devices:
+  - 001.003
diff --git a/hosts.yml b/hosts.yml
index d7faa20..a8c8d80 100644
--- a/hosts.yml
+++ b/hosts.yml
@@ -98,6 +98,9 @@ relay:
   hosts:
     relay01.home.foo.sh:
     relay02.home.foo.sh:
+sane:
+  hosts:
+    sane02.home.foo.sh:
 shell:
   hosts:
     shell01.foo.sh:
@@ -161,6 +164,7 @@ rocky9:
     mirror:
     mongodb:
     prometheus:
+    sane:
     sqldb:
     static:
     vmhost:
diff --git a/playbooks/sane.yml b/playbooks/sane.yml
new file mode 100644
index 0000000..03ef6db
--- /dev/null
+++ b/playbooks/sane.yml
@@ -0,0 +1,40 @@
+---
+- name: Deploy KVM virtual machines
+  ansible.builtin.import_playbook: include/deploy-kvm-guest.yml
+  vars:
+    myhosts: sane
+
+- name: Configure instance
+  hosts: sane
+  user: root
+  gather_facts: true
+
+  vars_files:
+    - "{{ ansible_private }}/vars.yml"
+
+  roles:
+    - base
+    - sane
+    - scanservjs
+    - mod_auth_gssapi
+    - role: keytab
+      keytab_path: /etc/httpd/httpd.keytab
+      keytab_principals: HTTP/scan.foo.sh@FOO.SH
+      keytab_group: apache
+
+  tasks:
+    - name: Require authentication for scanservjs
+      ansible.builtin.copy:
+        dest: /etc/httpd/conf.local.d/scanservjs-auth.conf
+        content: |
+          <Location /scanservjs>
+            AuthType        GSSAPI
+            GssapiBasicAuth On
+            AuthName        "Password Required"
+            Require         valid-user
+          </Location>
+        mode: "0644"
+        owner: root
+        group: "{{ ansible_wheel }}"
+      notify: Restart apache
+
diff --git a/site.yml b/site.yml
index bcceabe..a942f1d 100644
--- a/site.yml
+++ b/site.yml
@@ -47,6 +47,8 @@
   ansible.builtin.import_playbook: playbooks/proxy.yml
 - name: Configure relay hosts
   ansible.builtin.import_playbook: playbooks/relay.yml
+- name: Configure sane hosts
+  ansible.builtin.import.playbook: playbooks/sane.yml
 - name: Configure shell hosts
   ansible.builtin.import_playbook: playbooks/shell.yml
 - name: Configure sqldb hosts